Bug 2040268 (CVE-2022-0225)
| Summary: | CVE-2022-0225 keycloak: Stored XSS in groups dropdown | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Paramvir jindal <pjindal> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, boliveir, chazlett, drieden, pdrozd, pjindal, sthorger |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-03 07:34:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2040242, 2040468 | ||
I have replicated this issue with latest upstream keycloak 16.0.1 and latest RHSSO i.e. 7.5 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:6782 https://access.redhat.com/errata/RHSA-2022:6782 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:6783 https://access.redhat.com/errata/RHSA-2022:6783 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2022:6787 https://access.redhat.com/errata/RHSA-2022:6787 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2022:7410 https://access.redhat.com/errata/RHSA-2022:7410 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2022:7409 https://access.redhat.com/errata/RHSA-2022:7409 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2022:7411 https://access.redhat.com/errata/RHSA-2022:7411 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6.1 Via RHSA-2022:7417 https://access.redhat.com/errata/RHSA-2022:7417 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0225 |
The ”Groups” dropdown in ”Add user” is not escaped properly and can be exploited. Steps to reproduce Start a vanilla keycloak (or an existing one): docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:16.1.0 Login and go to Groups. Click New to add a new group. Add a group using the payload below: "><img src=x onerror=prompt(location)> Go to Users and click Add user. Click Groups and enter a character, as o, to display the group. This will trigger our prompt from the group name. Maybe also other places has this issue? This is probably an easy fix for you, but in case you want me to look into it I can do it. I’m jxn0 on github.